oss-sec mailing list archives
CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free)
From: Stefan Bühler <stbuehler () lighttpd net>
Date: Tue, 12 Nov 2013 17:14:15 +0100
Hi, I'd like to request CVE ids for the following issues in lighttpd: 1. setuid/setgid/setgroups return values are not checked If setuid() fails for any reason (RLIMIT_NPROC) lighttpd runs as root. http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt 2. If FAMMonitorDirectory fails, lighttpd reads a value from already free()d memory. http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt Both issues were found with clang static analyzer, so I assume the bad guys already know these. regards, Stefan
Attachment:
signature.asc
Description:
Current thread:
- CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free) Stefan Bühler (Nov 12)